MI5 website vuln builds mountain out of molehill

Hackers have uncovered information security shortcomings involving MI5's website, even though the problem is nowhere near as severe as one tabloid paper claims.

A breathless Daily Express "exclusive" on Thursday claimed the breach created a possible means for hackers to attack the computers of surfers visiting the security service's website and steal information. It's highly unlikely that confidential data held by the security service itself was exposed by the attack, even the Daily Express concedes.

In any case the flaw has now been resolved, so visitors are no longer at risk.

The Daily Express claims the MI5 attack was carried out by a hacking crew called "Team Elite", who are also reportedly responsible for attacks against the World Health Organisation’s website (as earlier reported by SoftPedia in greater depth here).

Team Elite, which notified MI5 about the problem, explains that MI5's search engine is vulnerable to XSS (cross-site scripting) and iFrame Injection attacks. Screenshots produced by the group suggest hackers could have used the now-patched flaw to present content under their control in frames that would appear (on cursory inspection, at least) to originate from MI5 itself.

The problem, such as it was, arose because the search form on MI5's website allowed code to pass as a search string, creating a code injection risk. XSSed, which maintains an archive of cross-site scripting bugs, reposts similar flaws also involved the search engine of the security service's website but dating from September 2007.

Team Elite published its advisory more than a week ago, on 21 July. Some of the more excitable coverage on Thursday sparked off but far from limited to the Daily Express, suggested the MI5's website was hacked into and that the nation's cybersecurity or perhaps even national security was imperiled as a result.

The truth is far more mundane.

Graham Cluley, senior technology consultant at Sophos, said it was "implausible" for MI5 to hold any sensitive data on systems connected to a public facing website, still less that confidential information would be unencrypted. Although the vulnerability on MI5's website is "highly unlikely to have compromised classified information", it still ought to serve as a wake-up call for sys admins - as Sophos notes, the majority of web-based malware attacks are these days launched from legitimate websites. ®